From 29011b08016abcf60e4036b47a3b5b1df28110a5 Mon Sep 17 00:00:00 2001
From: Martin Schuppert <mschuppert@redhat.com>
Date: Fri, 26 Jun 2026 14:06:49 +0200
Subject: [PATCH] Remove tj-actions/branch-names from upgrade catalog workflow

Replace tj-actions/branch-names with github.ref_name which provides
the branch name natively without a third-party action. The tj-actions
GitHub namespace was compromised in March 2025 (CVE-2025-30066) and
using actions from that namespace is no longer recommended. Pass the
value via env: to avoid shell interpolation of untrusted input in run:
blocks.

Jira: OSPRH-31981

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Schuppert <mschuppert@redhat.com>
---
 .github/workflows/catalog-openstack-operator-upgrades.yaml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/catalog-openstack-operator-upgrades.yaml b/.github/workflows/catalog-openstack-operator-upgrades.yaml
index 0c8117ebe..72be8562d 100644
--- a/.github/workflows/catalog-openstack-operator-upgrades.yaml
+++ b/.github/workflows/catalog-openstack-operator-upgrades.yaml
@@ -37,13 +37,10 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           path: ./openstack-operator
-      - name: Get branch name
-        id: branch-name
-        uses: tj-actions/branch-names@5250492686b253f06fa55861556d1027b067aeb5 # v9
       - name: Set latest tag for non main branch
-        if: "${{ steps.branch-name.outputs.current_branch != 'main' }}"
+        if: "${{ github.ref_name != 'main' }}"
         run: |
-          echo "latesttag=${{ steps.branch-name.outputs.current_branch }}-latest" >> $GITHUB_ENV
+          echo "latesttag=${{ github.ref_name }}-latest" >> $GITHUB_ENV
       - name: Install opm
         uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1
         with: